Results 1  10
of
34
Security Bounds for the Design of CodeBased Cryptosystems
, 2009
"... Codebased cryptography is often viewed as an interesting “PostQuantum” alternative to the classical number theory cryptography. Unlike many other such alternatives, it has the convenient advantage of having only a few, well identified, attack algorithms. However, improvements to these algorithms h ..."
Abstract

Cited by 55 (5 self)
 Add to MetaCart
Codebased cryptography is often viewed as an interesting “PostQuantum” alternative to the classical number theory cryptography. Unlike many other such alternatives, it has the convenient advantage of having only a few, well identified, attack algorithms. However, improvements to these algorithms have made their effective complexity quite complex to compute. We give here some lower bounds on the work factor of idealized versions of these algorithms, taking into account all possible tweaks which could improve their practical complexity. The aim of this article is to help designers select durably secure parameters.
Cryptanalysis of GRINDAHL
"... Abstract. Due to recent breakthroughs in hash functions cryptanalysis, some new hash schemes have been proposed. GRINDAHL is a novel hash function, designed by Knudsen, Rechberger and Thomsen and published at FSE 2007. It has the particularity that it follows the RIJNDAEL design strategy, with an ef ..."
Abstract

Cited by 15 (5 self)
 Add to MetaCart
(Show Context)
Abstract. Due to recent breakthroughs in hash functions cryptanalysis, some new hash schemes have been proposed. GRINDAHL is a novel hash function, designed by Knudsen, Rechberger and Thomsen and published at FSE 2007. It has the particularity that it follows the RIJNDAEL design strategy, with an efficiency comparable to SHA256. This paper provides the first cryptanalytic work on this new scheme. We show that the 256bit version of GRINDAHL is not collision resistant. With a work effort of approximatively 2 112 hash computations, one can generate a collision. Key words: GRINDAHL, hash functions, RIJNDAEL. 1
How to Securely Release Unverified Plaintext in Authenticated Encryption
"... Abstract. Scenarios in which authenticated encryption schemes output decrypted plaintext before successful verification raise many security issues. These situations are sometimes unavoidable in practice, such as when devices have insufficient memory to store an entire plaintext, or when a decrypted ..."
Abstract

Cited by 11 (2 self)
 Add to MetaCart
(Show Context)
Abstract. Scenarios in which authenticated encryption schemes output decrypted plaintext before successful verification raise many security issues. These situations are sometimes unavoidable in practice, such as when devices have insufficient memory to store an entire plaintext, or when a decrypted plaintext needs early processing due to realtime requirements. We introduce the first formalization of the releasing unverified plaintext (RUP) setting. To achieve privacy, we propose using plaintext awareness (PA) along with INDCPA. An authenticated encryption scheme is PA if it has a plaintext extractor, which tries to fool adversaries by mimicking the decryption oracle without the secret key. Releasing unverified plaintext then becomes harmless as it is infeasible to distinguish the decryption oracle from the plaintext extractor. We introduce two notions of plaintext awareness in the symmetrickey setting, PA1 and PA2, and show that they expose a new layer of security between INDCPA and INDCCA. To achieve integrity of ciphertexts, INTCTXT in the RUP setting is required, which we refer to as INTRUP. These new security notions are used to make a classification of symmetrickey schemes in the RUP setting. Furthermore, we reanalyze existing authenticated encryption schemes, and provide solutions to fix insecure schemes.
Linearization attacks against syndrome based hashes. Cryptology ePrint Archive, Report 2007/295
, 2007
"... Abstract. In MyCrypt 2005, Augot, Finiasz, and Sendrier proposed FSB, afamily of cryptographic hash functions. The security claim of the FSB hashes is based on a coding theory problem with hard averagecase complexity. Inthe ECRYPT 2007 Hash Function Workshop, new versions with essentially the same ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
Abstract. In MyCrypt 2005, Augot, Finiasz, and Sendrier proposed FSB, afamily of cryptographic hash functions. The security claim of the FSB hashes is based on a coding theory problem with hard averagecase complexity. Inthe ECRYPT 2007 Hash Function Workshop, new versions with essentially the same compression function but radically different security parameters andan additional final transformation were presented. We show that hardness of averagecase complexity of the underlying problem is irrelevant in collisionsearch by presenting a linearization method that can be used to produce collisions in a matter of seconds on a desktop PC for the variant of FSB with claimed 2128security.
On building hash functions from multivariate quadratic equations
 of Lecture Notes in Computer Science
, 2007
"... Abstract. Recent advances in hash functions cryptanalysis provide a strong impetus to explore new designs. This paper describes a new hash function mqhash that depends for its security on the difficulty of solving randomly drawn systems of multivariate equations over a finite field. While provably ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Recent advances in hash functions cryptanalysis provide a strong impetus to explore new designs. This paper describes a new hash function mqhash that depends for its security on the difficulty of solving randomly drawn systems of multivariate equations over a finite field. While provably achieving preimage resistance for a hash function based on multivariate equations is relatively easy, naïve constructions using multivariate equations are susceptible to collision attacks. In this paper, therefore, we describe a mechanism—also using multivariate quadratic polynomials—yielding the collisionfree property we seek while retaining provable preimage resistance. Therefore, mqhash offers an intriguing companion proposal to the provably collisionfree hash function vsh. 1
Really fast syndromebased hashing
 URL: http://eprint.iacr.org/2011/074. Citations in this document
, 2011
"... Abstract. The FSB (fast syndromebased) hash function was submitted to the SHA3 competition by Augot, Finiasz, Gaborit, Manuel, and Sendrier in 2008, after preliminary designs proposed in 2003, 2005, and 2007. Many FSB parameter choices were broken by Coron and Joux in 2004, Saarinen in 2007, and F ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
(Show Context)
Abstract. The FSB (fast syndromebased) hash function was submitted to the SHA3 competition by Augot, Finiasz, Gaborit, Manuel, and Sendrier in 2008, after preliminary designs proposed in 2003, 2005, and 2007. Many FSB parameter choices were broken by Coron and Joux in 2004, Saarinen in 2007, and Fouque and Leurent in 2008, but the basic FSB idea appears to be secure, and the FSB submission remains unbroken. On the other hand, the FSB submission is also quite slow, and was not selected for the second round of the competition. This paper introduces RFSB, an enhancement to FSB. In particular, this paper introduces the RFSB509 compression function, RFSB with a particular set of parameters. RFSB509, like the FSB256 compression function, is designed to be used inside a 256bit collisionresistant hash function: all known attack strategies cost more than 2 128 to find collisions in RFSB509. However, RFSB509 is an order of magnitude faster than FSB256. On a single core of a Core 2 Quad Q9550 CPU, RFSB509 runs at 10.67 cycles/byte: faster than SHA256, faster than 7 of the 14 secondround SHA3 candidates, and faster than 3 of the 5 SHA3 finalists. Key words: compression functions, collision resistance, linearization, generalized birthday attacks, informationset decoding, tight reduction to L1 cache. 1
Analysis of Multivariate Hash Functions
"... Abstract. We analyse the security of new hash functions whose compression function is explicitly defined as a sequence of multivariate equations. First we prove nonuniversality of certain proposals with sparse equations, and deduce trivial collisions holding with high probability. Then we introduce ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We analyse the security of new hash functions whose compression function is explicitly defined as a sequence of multivariate equations. First we prove nonuniversality of certain proposals with sparse equations, and deduce trivial collisions holding with high probability. Then we introduce a method inspired from coding theory for solving underdefined systems with a low density of nonlinear monomials, and apply it to find collisions in certain functions. We also study the security of message authentication codes HMAC and NMAC built on multivariate hash functions, and demonstrate that families of lowdegree functions over GF(2) are neither pseudorandom nor unpredictable. 1
FSBday: Implementing Wagner’s generalized birthday attack against the SHA3 ⋆ round1 candidate FSB
"... Abstract. This paper applies generalized birthday attacks to the FSB compression function, and shows how to adapt the attacks so that they run in far less memory. In particular, this paper presents details of a parallel implementation attacking FSB48, a scaleddown version of FSB proposed by the FSB ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
(Show Context)
Abstract. This paper applies generalized birthday attacks to the FSB compression function, and shows how to adapt the attacks so that they run in far less memory. In particular, this paper presents details of a parallel implementation attacking FSB48, a scaleddown version of FSB proposed by the FSB submitters. The implementation runs on a cluster of 8 PCs, each with only 8GB of RAM and 700GB of disk. This situation is very interesting for estimating the security of systems against distributed attacks using contributed offtheshelf PCs. Keywords: SHA3, Birthday, FSB – Wagner, not much Memory 1
SYND: a fast codebased stream cipher with a security reduction
"... In this note we reconsider the codebased pseudorandom generator proposed by Fischer and Stern. This generator is proven as secure as the syndrome decoding problem but has two main drawbacks: it is slow (3000 bits/s) and a large size of memory is needed (88 kiloBytes). We propose a variation on the ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
In this note we reconsider the codebased pseudorandom generator proposed by Fischer and Stern. This generator is proven as secure as the syndrome decoding problem but has two main drawbacks: it is slow (3000 bits/s) and a large size of memory is needed (88 kiloBytes). We propose a variation on the scheme which avoid them: the use of regular words speeds the system up and the use of quasicyclic codes allows a decrease of the memory requirements. We eventually obtain a generator as fast as AES in counter mode using only about 8000 bits of memory. We also give a more precise security reduction.
Syndrome based collision resistant hashing
"... Abstract. Hash functions are a hot topic at the moment in cryptography. Many proposals are going to be made for SHA3, and among them, some provably collision resistant hash functions might also be proposed. These do not really compete with “standard ” designs as they are usually much slower and not ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Hash functions are a hot topic at the moment in cryptography. Many proposals are going to be made for SHA3, and among them, some provably collision resistant hash functions might also be proposed. These do not really compete with “standard ” designs as they are usually much slower and not well suited for constrained environments. However, they present an interesting alternative when speed is not the main objective. As always when dealing with provable security, hard problems are involved, and the fast syndromebased cryptographic hash function proposed by Augot, Finiasz and Sendrier at Mycrypt 2005 relies on the problem of Syndrome Decoding, a well known “Post Quantum ” problem from coding theory. In this article we review the different variants and attacks against it so as to clearly point out which choices are secure and which are not.